b'NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n\n\n             REVIEW OF THE IMPLEMENTATION\n               OF HOMELAND SECURITY\n              PRESIDENTIAL DIRECTIVE 12\n                  Report #OIG-08-06        June 4, 2008\n\n\n\n\n                         William A. DeSarno\n                         Inspector General\n\n\n\n       Released by:                            Auditor-in-Charge:\n\n\n\n\n     James Hagen                               W. Marvin Stith, CISA\n  Deputy IG for Audits                Senior Information Technology Auditor\n\x0c                       TABLE OF CONTENTS\n\n\n\n\nSection                                                                           Page\n\n          EXECUTIVE SUMMARY                                                          1\n\n          BACKGROUND                                                                 2\n\n          OBJECTIVE                                                                  2\n\n          SCOPE & METHODOLOGY                                                        3\n\n          RESULTS                                                                    4\n\n  A       NCUA did not meet OMB milestones for issuing credentials                   4\n\n  B       The PIV credentials NCUA planned to issue do not meet HSPD-12              5\n          requirements\n\n  C       NCUA does not have an HSPD-12 Implementation Plan                          7\n\n  D       NCUA does not have accredited and approved procedures for                  8\n          verifying the identities of its employees and contractor employees or\n          for issuing and managing PIV credentials\n\n  E       NCUA contracts do not require contractor employee compliance               9\n          with HSPD-12\n\nAppendix NCUA Management Comments                                                   11\n\x0c                                               EXECUTIVE SUMMARY\nThe National Credit Union Administration (NCUA) Office of Inspector General (OIG)\nperformed an audit to determine the status of NCUA\xe2\x80\x98s implementation of Homeland\nSecurity Presidential Directive \xe2\x80\x93 12 (HSPD-12) - Policy for a Common Identification\nStandard for Federal Employees and Contractors. To determine NCUA\xe2\x80\x99s status in\nimplementing HSPD-12, we interviewed management and staff from the NCUA Office of\nthe Chief Information Officer (OCIO), Office of Human Resources (OHR), Office of\nGeneral Counsel (OGC), and the Office of the Chief Financial Officer (OCFO) Division\nof Procurement and Facilities Management (DPFM). We also interviewed a\nrepresentative from the General Services Administration (GSA). In addition, we\nreviewed HSPD-12 policies and requirements, as well as NCUA documentation,\nprocedures and policies regarding HSPD-12 implementation.\n\nWe determined NCUA has made progress towards issuing Personal Identity Verification\n(PIV) credentials to its employees and contractor employees. NCUA has verified, initiated,\nor completed background investigations on its employees. In addition, NCUA has begun\ninitiating background investigations on its contractor employees. Furthermore, NCUA\nproofed and registered1 its existing employees and contractor employees starting in August\n2006. However, NCUA has not issued credentials to new or existing employees and\ncontractor employees as required, and the credentials NCUA plans to issue do not meet\nHSDP-12 and Federal Information Processing Standard 201 (FIPS 201) requirements. In\naddition, NCUA has not fulfilled other HSPD-12 requirements. Specifically, NCUA:\n\n       \xe2\x80\xa2    Does not have an implementation plan;\n\n       \xe2\x80\xa2    Does not have an accredited and approved identity proofing and registration process;\n\n       \xe2\x80\xa2    Does not have an accredited and approved PIV issuance and management process;\n            and\n\n       \xe2\x80\xa2    Has not included language in contracts requiring compliance with HSPD-12 and\n            FIPS 201\n\nWe made eight recommendations where improvements could be made. Management\nagreed with seven of the recommendations and is taking corrective action or has plans to\naddress the recommendations. Management disagreed with the recommendation to place\na federal cross-certified certificate on the credentials and made a business decision to only\nplace the certificate on senior NCUA staff credentials. Management believes that given\nlimited interoperability with other federal agencies and the significant cost per certificate\ninvolved, the expenditure of NCUA funds for the cross-certified certificate is not justified for\nall employees at this time. A complete copy of management\xe2\x80\x99s formal written response is\nattached as an appendix to this report.\n\n\n1\n    Identity proofing and registration are the activities involved in verifying identities and recording that information.\n\n                                                                    1\n\x0cBACKGROUND:\n\nOn August 27, 2004, the President signed HSPD-12, which provides policy\nguidelines to enhance security, increase Government efficiency, reduce identity\nfraud, and protect personal privacy by establishing a mandatory,\nGovernment-wide standard for secure and reliable forms of identification issued\nby the federal government to its employees and contractors (including contractor\nemployees). "Secure and reliable forms of identification" for purposes of this\ndirective means identification that (a) is issued based on sound criteria for\nverifying an individual employee\'s identity; (b) is strongly resistant to identity\nfraud, tampering, counterfeiting, and terrorist exploitation; (c) can be rapidly\nauthenticated electronically; and (d) is issued only by providers whose reliability\nhas been established by an official accreditation process.\n\nOn February 25, 2005, the Secretary of Commerce approved and issued Federal\nInformation Processing Standard 201, Personal Identity Verification of Federal\nEmployees and Contractors (FIPS 201). The National Institute of Standards and\nTechnology (NIST) developed this standard to satisfy the requirements of\nHSPD-12. The Office of Management and Budget (OMB) is responsible for\nensuring compliance with HSPD-12. On August 5, 2005, OMB issued a\nmemorandum (M-05-24) that provided instructions to agencies for implementing\nHSPD-12 and FIPS 201. According to M-05-24, HSPD-12 requires agencies to\nconduct a background investigation, adjudicate the results, and issue identity\ncredentials to their employees and contractors who require long-term access to\nfederally controlled facilities or information systems. However, it does not apply\nto individuals under contract to a department or agency, who require only\nintermittent access to federally controlled facilities.\n\nFIPS 201 is composed of two parts: PIV-I and PIV-II. PIV-I describes the\nminimum requirements for a federal personal identification system that meets the\ncontrol and security objectives of HSPD-12, including personal identity proofing,\nregistration, and issuance. PIV-II provides detailed technical specifications to\nsupport the control and security objectives in PIV-I as well as interoperability\namong federal departments and agencies. PIV-II describes the policies and\nminimum requirements of a PIV Card that allows interoperability of credentials for\nphysical access and logical access.\n\nOBJECTIVE:\n\nThe objective of this review was to assess the status of NCUA\xe2\x80\x99s implementation\nof HSPD-12.\n\n\n\n\n                                         2\n\x0cSCOPE & METHODOLOGY:\n\nTo determine the status of NCUA\xe2\x80\x99s implementation of HSPD-12, we interviewed\nmanagement or staff from the NCUA OCIO, OHR, OGC, and OCFO DPFM. We\nalso interviewed a representative from the GSA. In addition, we reviewed\nHSPD-12 policies and requirements, and NCUA documentation, procedures and\npolicies regarding HSPD-12 implementation.\n\nWe conducted our fieldwork from February 2008 through May 2008 and\nperformed this review in accordance with Generally Accepted Government Auditing\nStandards.\n\n\n\n\n                                       3\n\x0cRESULTS:\n\nA. NCUA did not meet OMB milestones for issuing credentials\n\nNCUA has made progress towards issuing PIV credentials to its employees and\ncontractor employees. OHR verified, initiated, or completed employee background\nchecks and has begun pursuing contractor background investigations. OHR also\nproofed and registered existing NCUA employees and contractor employees starting\nin August 2006. However, NCUA has not issued credentials to new or existing\nemployees and contractor employees as required. OMB required agencies to:\n\n    \xe2\x80\xa2    Begin issuing credentials to new employees and contractor employees by\n         October 27, 2006; and\n\n    \xe2\x80\xa2    Issue and use credentials for current employees and contractor employees by\n         October 27, 2007\n\nIn addition, FIPS 201 required that the identity credentials agencies issue to\nindividuals without a completed background investigation must be electronically\ndistinguishable from identity credentials issued to individuals who have a completed\ninvestigation.\n\nNCUA reported to OMB that as of September 2007, it had 942 employees that\nrequired PIV credentials. NCUA also reported that all its employees had completed\nor adjudicated background investigations.2 However, NCUA had issued only one\ncredential. NCUA reported to OMB that it had issued only 10 credentials as of\nDecember 2007. In addition, as of May 6, 2008, OHR indicated it had 40 contractor\nemployees on staff requiring background investigations and had initiated the\npaperwork for 23 of these contractor employees.3 NCUA indicated that technology\nissues impacted its ability to produce PIV credentials.\n\nWhile NCUA did not meet required OMB milestones for issuing its credentials, OMB\nindicated, on October 26, 2007, that no federal agency would meet the\nOctober 27, 2007 deadline. OMB reported that as of March 1, 2008, federal\nagencies had issued credentials to approximately three percent of employees and\nthree percent of contractor employees. OMB indicated that unexpected technical\ndifficulties caused agencies to miss the goal.\n\n\n\n\n2\n  NCUA indicated to the OIG in April 2008 that it had one employee who entered on duty in March 2004 who did not\nhave an initial background investigation. In addition, NCUA identified six employees who entered on duty between\nApril and September 2007 for whom NCUA submitted their investigation paperwork to OPM prior to their entry on\nduty.\n3\n  For the purposes of this audit, we are defining \xe2\x80\x9cinitiated\xe2\x80\x9d as the employee at least completed the paperwork and\nprovided it to OHR.\n\n                                                        4\n\x0cConsidering the status of the majority of the federal community in issuing credentials,\nwe did not consider that NCUA\xe2\x80\x99s status would have any adverse impact regarding\nthe HSPD-12 goal for interoperability among federal departments and agencies.\nTherefore, we are not making a recommendation regarding this issue at this time\n\n\nB. The PIV credentials NCUA plans to issue do not meet HSPD-12\n   requirements\n\nNCUA has made progress towards issuing credentials, and NCUA indicated to OMB\nin January 2008 that it would create credentials for all employees by March 31, 2008.\nHowever, the NCUA credential as configured does not incorporate the certificate\nrequired by FIPS 201. In addition, GSA had not validated the NCUA credential as\nconfigured.\n\nOMB allows agencies to place additional certificates on its credentials. However, it\nmandates that a digital certificate be incorporated on the credential for access control\nthat originates from:\n\n     \xe2\x80\xa2    An agency certification authority 4 cross-certified with the Federal Bridge\n          Certificate Authority (FBCA 5 ) at medium assurance or higher; or\n\n     \xe2\x80\xa2    An approved Shared Service Provider.\n\nOCIO configured the NCUA credential with a Microsoft6 certificate that will allow\nNCUA users to access the NCUA VPN, but which is not cross-certified with the\nFBCA. OCIO indicated it did not put the federal certificate on its credentials because:\n(a) of the cost of procuring and maintaining a cross-certified certificate, and (b) the\nfunctionality for using the federal certificate is not yet available and therefore is not an\nissue. OCIO indicated it could add the certificate when the functionality for the\ncertificate is available. However, OCIO recently decided to configure credentials for\nall NCUA Board members and executive staff with the federal certificate before the\nagency issues the credentials.\n\nIn addition, GSA did not validate the credential NCUA planned to issue with the\nMicrosoft certificate. OMB required agencies to provide credentials with their\nagency\xe2\x80\x99s standard configuration to GSA for testing. GSA validated an NCUA\ncredential in September 2007. However, the credential contained a certificate other\nthan the Microsoft certificate NCUA plans to use. The GSA representative\nresponsible for the testing indicated that when an agency changes certificates after\nGSA validated the credential, the agency should submit the updated credential for\n\n4\n  A certification authority is a trusted third party that issues digital certificates and validates the identity of the holder\nof a digital certificate.\n5\n  The FBCA allows an entity to accept digital identity certificates issued by other entities for transactions. It allows\nfor trust between different agencies regardless of which entities are involved in the sharing of information.\n6\n  Microsoft is not an approved Shared Service Provider.\n\n                                                              5\n\x0crevalidation. We discussed this issue with OCIO, and OCIO indicated it would\nprovide another credential to GSA.\n\nIssuing a credential that meets federal requirements will ensure NCUA\xe2\x80\x99s ability to\nfulfill the HSPD-12 goals for a secure and reliable form of identification that is strongly\nresistant to identity fraud, tampering, counterfeiting, and terrorist exploitation and that\ncan be rapidly authenticated electronically. In addition, it would ensure NCUA\ncredentials meet the HSPD-12 goal for interoperability of credentials for physical and\nlogical access control. Furthermore, we believe that creating and issuing credentials\nbefore NCUA incorporates the federal certificate could lead to logistical challenges\nfor NCUA because the majority of NCUA employees are located in four Regional\noffices and the Asset Management Assistance Center (AMAC), which are\ngeographically dispersed from the Central Office where NCUA issues and maintains\nthe credentials. 7\n\nRecommendation #1: Prior to issuing its credentials, NCUA should incorporate a\nfederal certificate on its credentials that is cross-certified with the Federal Bridge\nCertificate Authority.\n\nManagement Response: Management disagreed with our recommendation.\nManagement believes that given limited interoperability with other federal agencies\nand the significant cost per certificate involved, the expenditure of NCUA funds for\nthe cross-certified certificate is not justified for all employees at this time. However,\nmanagement also indicated it would load a limited number of cross-certified\ncertificates on the PIV credentials of senior NCUA staff.\n\nOIG Response: We understand that NCUA is making a business decision to not\nconfigure all its credentials with the cross-certified federal certificate at this time\nbased on the cost-benefit. We do not plan to pursue this matter in resolution.\n\nRecommendation #2: Prior to issuing its credentials, NCUA should submit a\ncredential with the required certificate configuration to GSA for testing.\n\nManagement Response: Management agreed with our recommendation and\nindicated it is in the process of submitting the updated credential configuration to\nGSA prior to issuing the PIV cards.\n\nOIG Response: We agree with the proposed action.\n\nRecommendation #3: NCUA should issue its credentials as soon as practicable\nafter fulfilling the two recommendations above.\n\n\n\n7\n The four Regional offices are located in New York, Georgia, Arizona, and Texas, and AMAC is also located in\nTexas.\n\n                                                       6\n\x0cManagement Response: Management agreed with our recommendation.\nManagement indicated it would issue credentials to all central and regional office staff\nafter GSA tests the credential configuration. Specifically, management indicated it\nwould issue credentials to field staff at the upcoming NCUA regional conference in\nSeptember.\n\nOIG Response: We agree with the proposed action.\n\n\nC. NCUA does not have an HSPD-12 Implementation Plan\n\nAt OMB\xe2\x80\x99s request, NCUA provided its initial implementation status to OMB in\nJune 2005 and an updated status in September 2006. However, NCUA does not\nhave an implementation plan. In May 2005 when OMB requested agencies provide\ntheir implementation status by June 27, 2005, it informed agencies they needed to\nprepare a detailed implementation plan. In addition, when OMB published its overall\nHSPD-12 implementation guidance in August 2005, it listed the implementation plan\nas a requirement that agencies were supposed to provide to OMB by June 27, 2005.\nNCUA does not have an implementation plan because there is no single NCUA\noffice responsible for directing and coordinating the various functional components\ninvolved in implementing the HSPD-12 program for the agency.\n\nSeveral NCUA offices have responsibilities for implementing HSPD-12 such as\nOCIO, OHR, and OCFO. However, no single office has accepted the overall\nresponsibility for directing and coordinating the implementation of HSPD-12 for the\nagency as a whole.\n\nWhile OCIO and OCFO DPFM have considered and made efforts towards physical\nand logical access solutions, the agency may have been able to pursue or implement\nmore timely access solutions if it had prepared an implementation plan. For\nexample, OCIO could have established a budget and timeline to procure a certificate\nthat is cross-certified with the FBCA for logical access control to federally controlled\ninformation systems. In addition, OCFO DPFM could have detailed a solution,\ntimeline and budget for physical access to NCUA facilities in an implementation plan.\n\nRegarding NCUA\xe2\x80\x99s physical access solution, OCFO DPFM began pursuing a card\nreader in 2007 for building access under HSPD-12 to replace NCUA\xe2\x80\x99s existing HID8\ndevices that would be able to read both its legacy building access cards and the new\nPIV credentials. Recently, OCIO learned that PIV cards which function with NCUA\xe2\x80\x99s\nexisting HID card readers were on the GSA approved products list.9 These cards\ncould potentially provide NCUA with a physical access solution under HSPD-12\nwithout having to replace the existing readers. OCIO had planned to obtain and test\n\n8\n  HID is a manufacturer of secure identity solutions and contactless smart card technology for physical access\ncontrol.\n9\n  These cards have been on the GSA Approved Products List since September 2006.\n\n                                                         7\n\x0csome of these PIV cards as a potential solution. However, OCIO indicated they\nassessed the cards as a potential solution and determined they were too costly.\n\nIn addition, an implementation plan could have outlined NCUA\xe2\x80\x99s timeline to fulfill\nother HSPD-12 requirements it has not met, such as:\n\n     \xe2\x80\xa2   Accrediting and approving an identity proofing and registration process (See\n         Finding D below);\n\n     \xe2\x80\xa2   Accrediting and approving a PIV issuance and management process (See\n         Finding D below); and\n\n     \xe2\x80\xa2   Incorporating language into contracts requiring contractor compliance with\n         HSPD-12 and FIPS 201(See Finding E below)\n\nRecommendation #4: NCUA\xe2\x80\x99s Executive Director should designate a single office\nwith overall responsibility for directing and coordinating HSPD-12 implementation for\nNCUA.\n\nManagement Response: Management agreed with our recommendation and\ndesignated the NCUA Office of Human Resources (OHR) as the office responsible\nfor HSPD-12 implementation.\n\nOIG Response: We agree with the proposed action.\n\nRecommendation #5: NCUA should develop a detailed HSPD-12 implementation\nplan.\n\nManagement Response: Management agreed with our recommendation and\nindicated it has been in the process of developing an implementation plan.\n\nOIG Response: We agree with the proposed action.\n\n\nD. NCUA does not have accredited and approved procedures for verifying the\n   identities of its employees and contractor employees or for issuing and\n   managing PIV credentials\n\nOHR established and implemented an identity proofing and registration process for\nemployees and contractor employees that meets key FIPS 201 requirements.10 In\nOctober 2005, OHR published training and guidance on the roles, requirements and\nprocedures for proofing and registration and made the training and requirements\navailable on its intranet. In addition, OHR proofed and registered its existing\n\n10\n  NCUA\xe2\x80\x99s identity proofing and registration process provides for separation of duties, and the process requires\napplicants to provide two acceptable forms of identity source documents.\n\n                                                         8\n\x0cemployees and contractor employees starting in August 2006. In addition, OHR\nprepared a \xe2\x80\x9cPIV Issuance and Maintenance\xe2\x80\x9d process for issuing and managing PIV\ncredentials. However, NCUA has not approved or accredited these processes.\n\nOMB required agencies to adopt and accredit11 an approved12 identity proofing and\nregistration process by October 27, 2005. In addition, FIPS 201 requires agencies to\naccredit and approve their PIV issuance and management procedures. Furthermore,\nOMB indicated agencies cannot issue new identity credentials until they have\napproved and accredited procedures.\n\nBy accrediting and approving its proofing and registration and its PIV issuance and\nmanagement procedures, NCUA would facilitate its ongoing ability to meet the\nHSPD-12 control objective to ensure agencies issue credentials based on sound\ncriteria for verifying an individual employee\'s identity.\n\nRecommendation #6: NCUA should accredit and approve its identity proofing and\nregistration procedures prior to issuing credentials.\n\nManagement Response: Management agreed with our recommendation and\nindicated OHR is in the process of submitting the written procedures for accreditation\nand approval prior to issuing the credentials.\n\nOIG Response: We agree with the proposed action.\n\nRecommendation #7: NCUA should accredit and approve its PIV credential\nissuance and management procedures prior to issuing credentials.\n\nManagement Response: Management agreed with our recommendation and\nindicated it would comply with NIST requirements when it issues its credentials.\n\nOIG Response: We agree with the proposed action.\n\n\nE. NCUA contracts do not require contractor employee compliance with\n   HSPD-12\n\nNCUA employs contractor employees at its Central Office and its Asset Management\nand Assistance Center (AMAC). OHR began proofing and registering contractor\nemployees starting in August 2006 and has also begun pursuing background checks\non contractor employees. However, NCUA contracts do not include language\nrequiring compliance with HSDP-12 and FIPS-201. OCFO DPFM and AMAC staff\nresponsible for this requirement indicated they were not aware of the requirement.\n\n\n11\n     Agencies must accredit that these processes satisfy FIPS 201 requirements.\n12\n     The head of the agency must approve the procedures in writing.\n\n                                                         9\n\x0cOMB required that by October 27, 2005, all new contracts (including exercised\noptions) that require contractors to have long term access to federally controlled\nfacilities or access to federally controlled information systems shall include language\nrequiring compliance with PIV procedures. The Federal Acquisition Regulation\nincludes a clause NCUA could use in its contracts that requires contractors to comply\nwith HSPD-12 and FIPS 201.\n\nBy ensuring contractors are required to comply with PIV procedures, NCUA can\nensure its contractor employees meet HSPD-12 requirements and continue to\nprovide optimum services to NCUA employees and oversight of the nation\xe2\x80\x99s credit\nunions.\n\nRecommendation #8: NCUA should update its contracts to include language\nrequiring contractor employees to comply with HSPD-12 and FIPS 201.\n\nManagement Response: Management agreed with our recommendation and\nindicated it has taken action to update purchase orders and notify contractors of the\nrequirement to comply.\n\nOIG Response: We agree with the proposed action.\n\n\n\n\n                                          10\n\x0c                           APPENDIX\nNCUA MANAGEMENT COMMENTS\n\n\n\n\n           11\n\x0c                           APPENDIX\nNCUA MANAGEMENT COMMENTS\n\n\n\n\n           12\n\x0c                           APPENDIX\nNCUA MANAGEMENT COMMENTS\n\n\n\n\n           13\n\x0c'